Full Disclosure mailing list archives
RE: windowsupdate
From: "Drew Copley" <dcopley () eeye com>
Date: Thu, 21 Aug 2003 11:21:26 -0700
-----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of *Hobbit* Sent: Wednesday, August 20, 2003 4:08 PM To: full-disclosure () lists netsys com Subject: [Full-disclosure] windowsupdate [Observation stolen from nanog.] Windows Update uses ActiveX Controls and active scripting to display content correctly and to determine which updates apply to your computer. To view and download updates for your computer, your Internet Explorer security settings must meet the following requirements: * Security must be set to medium or lower * Active scripting must be set to enabled * The download and initialization of ActiveX Controls must be set to enabled What the hell are you people thinking?!
They did screw up. Their design is flawed, but they have a good base there to fix it, if they ever decide to. The primary security model of Internet Explorer is shown in the Windows 2003 version. Activex is disabled. File downloading is disabled. Javescript and Visual Basic Script is disabled. Input forms is disabled. All of this is disabled on the Internet Zone. Windows update is placed in the Trusted Zone. The problem is they ask you to place every site you want to download a file from or run activex - or do any of this stuff - in the Trusted Zone.
From a corporate standpoint where users may be prevented from doing
these things... This may be "good". Users will be prevented from doing just about anything. But, IE had this capability all along, anyway.
From a regular user standpoint, this means that users will be going into
their archaic settings and changing these settings to fit their own dislikes and likes. As these settings are poorly done - poorly designed, that is - users are very likely to enable "features" such as "always run untrusted activex" or something else which every spyware popup on the planet would drool over. There are other issues which have been brought up... XSS on trusted sites now invades the full security model of IE (though, it might be noted trusted is not what it used to be, I think, regardless trusted does not mean system access)... Etc, etc. Lastly, why is this concern just given to Windows 2003? That is an expensive upgrade. According to the latest stats, this is 95% of the browsing public we are talking about here. Microsoft has an obligation to the public. The days of playing Machiavelli (or is that Darth Sidious?)should be over. And, do not think this much touted security feature of Windows 2003 is something which is expensive or out of this world. From what I can tell, it is just a bit more of a settings manager - an awkward one at that.
_H* _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- windowsupdate *Hobbit* (Aug 20)
- Re: windowsupdate Jeremiah Cornelius (Aug 21)
- RE: windowsupdate Mike Fratto (Aug 21)
- RE: windowsupdate Drew Copley (Aug 21)